So credential management. You might
wonder why is that important but it's
quite critical to help secure the
routing infrastructure. so credentials
assert identity who are you and what are
you allowed to do and there are many
many compromises that at the root of it
have to do with very poor credential
management practices. Have you heard of
Mirai? I would be surprised if you hadn't.
Remember that the root of Mirai was
compromising vulnerabilities that dealt
with telnet, in effect sending credentials in
clear-text and even worse having default
passwords. So really we need to start
looking at how do we help when we're in
control of the routing infrastructure to
make sure that we're not part of the
problem. So how are credentials
compromised? There's a variety of ways
very often people use the same passwords
on many systems.
That's really bad practice and it can
also lead to sometimes being a victim of
a phishing attack because if you're
using the same password to log into your
routing infrastructure in other areas it
gives more of a possibility that a
phishing attack can actually work when
somebody sends you an email that looks
like something you need to click on and
enter your credentials. Also if your
laptop gets stolen, if you're not
encrypting your laptop
or if you don't have a spreadsheet with your passwords encrypted
then somebody who has access
to the stolen laptop
could potentially have access to all
the passwords in your infrastructure.
People also unfortunately
send credentials and clear text emails
so just to say hey I need for you to log
into the router or configure this router
and here are the passwords to it it
happens. It shouldn't happen
and we just have to pay attention
to what we're doing.
So we need to think about the entire
credential management lifecycle and
maybe it looks daunting but really it
isn't. You just have to think about when
you're creating changing or renewing
credentials how do you distribute them.
Make sure you do it in a secure manner.
Also how do you store them and we have
to think about mobile devices in these
days. So if you're doing something using
your iPhone or using some other phone
and you have backups in the cloud
are you sending information into the cloud
i.e. somebody else's computer right and
can that be compromised?
So just be cognizant of where the data
is going. Also how do you actually revoke
credentials and how do you destroy them?
So just think about the entire lifecycle
so that you know that nobody
unauthorized gets access to a password
and potentially misuse it.
It is very important to think about all
of the different credentials or passwords
that are associated with the routing
infrastructure. It's not only you as an
operator that would have maybe physical
access and have a password to get
console access or even telnet or SSH
access, you also need to think about all
the different credentials that are
associated with protocols or management
devices, for example SNMP, IPSec, syslog,
even secure NTP these days has
credentials then we had a module on
secure route authentication also called
sometimes md5 authentication and there
are passwords associated with this.
So all of these credentials are something
you have to think about.
How do you create them?
How do you change them?
And then how do you store them,
distribute them and delete them?
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.